Too many wildcards in the search request causes system to immediately shoot to 100% CPU, HEAP- DOS attack


We recently came across a case where when there are wild card search like " ab bcd xyz" (just an example to indicate that wild cards are present beginning and end or anywhere on multiple words). Similar searches when lot of users execute in parallel the server does not respond and resources shoots 100%. The only option to recover was to restart the cluster.

This falls to a potential case for ddos attacks. Is there any configuration or a control that can be kept in the query to kill the request if it takes more time like 5second or so and release the resources used by this query?

search string did not carry * in the forum.. hence expanding it to words (ST)=*
" (ST)a(ST) b (ST)bcd(ST) (ST)z(ST) "

ES versions in use are 7.0, 6.1

Such a setting has very recently been added for the next minor version, see

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.